Skip to main content

Reply to this post | Go Back
View Post [edit]

Poster: Time Traveller Date: Aug 20, 2009 4:25am
Forum: texts Subject: Greatly useful news re FLASH being a great menace to society as we know it.

The following is not the full article, but I have enough to put weight behind my question, do Ms Tracey and the big boss Brewster want to comment on the following?
Or will they just keep silent again, until it all blows over? === we get sick of waiting for an answer.
Check out FLASH cookies below, nothing like HTML cookies which we all know about, and keep an eye on.
http://en.wikipedia.org/wiki/Adobe_Flash
Security
[edit] User Privacy Compromised by Default, via Local Shared Objects (LSOs)
Adobe, like Macromedia, claims disingenuously that Flash MX Players use a sandbox security model, but, contrary to that definition, Flash MX Players (that is, Flash Players subsequent to Version 5) do not seek the user's permission to store on his hard disk so-called Local Shared Objects (LSOs), which constitute an insecure collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based. LSOs — an automatic, invisible opt-in for anyone installing a Flash MX Player — are not temporary files, and there is, deliberately as designed by Macromedia, no obvious control panel to opt out of them; instead, the user who wishes to maintain his privacy must discover on his own their presence, and then find the Macromedia Web-site page ([2] or [3]) whose links activate the Flash MX Player plug-in and then expose the hidden, Flash-based LSO-opt-out "Settings Manager" control panel. Versions of the Flash Player prior to those that handle Flash MX content did not use these silently invasive, privacy-threatening LSOs.
There are already reports of LSO exploitation by advertisers: Flash Player Worries Privacy Advocates (InternetWeek). Most users, including those familiar with Flash who protect themselves from cookies, are unaware of this kind of tracking, which is not curtailed by customary in-browser cookie settings and most cookie-cleaning utilities:
• You Deleted Your Cookies? Think Again (WIRED)
• How Flash Cookies Threaten Your Privacy (Webmaster Tips)
• Company Bypasses Cookie-Deleting Consumers (InformationWeek).
[edit] Insecure SOL Files Persist Unprotected Private Info Across Browsers and Other Applications
LSOs are stored in "SOL files" (typically, files with the extension "SOL"). String data, such as one's name, address, or Social Security Number, are stored by default within SOL files as plain ASCII text, which means that the data are insecure and easily read by any application. SOL files may store far more information than the traditional 4K-limited cookie. The default (declared by Macromedia and open to increase at Adobe's whim) SOL-file storage limit is 100K per domain, but this limit is easily bypassed and may be set to UNLIMITED STORAGE: The user may do this deliberately via the aforementioned, buried "Settings Manager" (unlikely, for most users), or he may do it (un)wittingly, such as by answering a prompt from an application seeking to store more than the default 100K.
Flash is NOT required to create, read, or write SOL files, which means that private information stored within them is open to any application that wants it. Examples of non-Flash SOL-file editors and toolkits include: SolVE, ASV SOL Viewer and Editor, .SOL Editor, and Dojo JavaScript Toolkit.
[edit] Opted-In-By-Default Users Caught Unaware and Unprotected
Most Web-browser users do not realize that Web pages do not have to offer any visible signs that a Flash application is running and accessing personal information stored in SOL files. Even Web developers know that it would be difficult to detect if a Flash application were utilizing SOL files.
To this day, there is little public awareness of Adobe/Macromedia's hidden, proprietary-cookie LSOs, and no widespread, well-known utility-suite, anti-spyware, or anti-adware programs that address them. Users who delete traditional cookies with such programs may find those cookies resurrected because of Adobe/Macromedia's LSOs: Tool Can Resurrect Deleted Cookies (Out-Law.com). Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.
The default storage location for LSOs is operating-system dependent. For Windows XP, the location is within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects. Additional information is available at the Electronic Privacy Information Center's Local Shared Objects — "Flash Cookies" page.
[edit] User PCs Compromised via Flash Players
Specially crafted files have been shown to cause Flash applications to malfunction, by allowing the execution of malevolent code. The Flash Player has a long history of security flaws that expose computers to remote attacks. In addition to entries in the Open Source Vulnerability Database, security advisories published in August 2002, December 2002, and November 2005 highlight just three examples of reports about various Flash Player versions that allowed the takeover of a victim's PC, whether the viewed Flash SWF file had been embedded in a Web page, sent in an e-mail, or downloaded by the user.
Criticism
[edit] Usability
Many usability concerns regarding Flash concern how it breaks with conventions associated with normal HTML pages. Things like selecting text, scrollbars,[37] form control and right-clicking act differently than with a regular HTML webpage. Usability expert Jakob Nielsen published an Alertbox in 2000 entitled, Flash: 99% Bad which listed many of these issues.[38] Much of this criticism was due to poor implementation, rather than inherent problems with Flash. Some problems have been fixed since Nielsen's complaints; text size, for example, can now be easily controlled using the full page zoom now implemented in many modern browsers.
The US Justice Department has stated in regard to the Americans with Disabilities Act of 1990:[citation needed]
Covered entities under the ADA are required to provide effective communication, regardless of whether they generally communicate through print media, audio media, or computerized media such as the Internet. Covered entities that use the Internet for communications regarding their programs, goods, or services must be prepared to offer those communications through accessible means as well.
Although it has been possible for authors to include alternative text content in Flash since Flash Player 6, Flash's accessibility features are compatible only with certain screen readers and only under Windows.[39] Internet users who are visually-impaired, or who require larger text sizes or high-contrast color schemes may find sites that make extensive use of Flash difficult, although the former can now be controlled using the full page zoom options found in many modern browsers.
[edit] Violating freedom of the web
The proprietary nature of Flash is a major concern to advocates of open standards and free software. Its widespread use has, according to some such observers, harmed the otherwise open nature of the World Wide Web.[40] A response may be seen in Adobe's Open Screen Project.
Representing open standards, inventor of CSS and co-author of HTML 5, Håkon Wium Lie explained in a Google tech talk the proposal of Theora as the video codec for HTML 5[41] (see also the Ogg controversy):
I believe very strongly, that we need to agree on some kind of baseline video format if [the video element] is going to succeed. Flash is today the baseline format on the web. The problem with Flash is that it's not an open standard.
Presenting the free software movement, Richard Stallman stated in a speech in October 2004 that:[42]
The use of Flash in websites is a major problem for our community.
Stallman's argument then was that no free players were comparatively good enough. As of February 2009, Gnash and Swfdec have seen very limited success in competing with Adobe's player. The fact that many important and popular websites expect users to have Adobe's player, combined with the lack of good free alternatives have led to frustration among users,[43] suggesting that this is the most common obstacle to enjoying the web in freedom, which presumably relates to the continual high ranking of Gnash on the Free Software Foundation's list of high priority projects.[44]
Referring to the web's openness, an essential feature is that web pages as well as the files they consist of are coupled together by human readable text. Similarly, the openness of the internet lies in its protocols. Thus, the common practice by video centric websites of hiding the URL of web embedded multimedia using Flash or Silverlight, obfuscating the URL with javascript, or using custom protocols like RTMP (Flash) or MMS (Windows Media streams), may seem threatening to the openness of the web. Such nonstandardization makes it hard to use other software than intended by the publisher, in turn making it hard to do other things than intended by the respective software programmers. For example, the words "streaming" and "download" are often used by web publishers as if they were mutually exclusive events independently allowed by their service, although the distinction, whether the client plays or saves the transmitted data or even both, is solely up to the client. Imposing the opposite impression in effect restricts users' control of their own computing.
[edit] Flash cookies
Similar to the HTTP cookie, a Flash cookie is a Local Shared Object that can be used to track users, assign unique user ids, and/or save application parameters. An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also employing Flash cookies. However, privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.[45] Its a relatively simple tactic to employ; a website need not even have deep flash functionality. For example, it is possible to embed a small 1x1 pixel transparent background flash file somewhere out of the way on a page - and all of the programming features, including access to the Local Shared Object will be available. Most surprisingly is that it took 9 years for this tactic to be discussed by the general public, considering that versions of this existed previous to the Local Shared Object and has long been a staple in subverting cookies.
[edit] Use of computer resources
• It is argued that the performance of Adobe Flash Player on different platforms may not be optimal.[46]
• Any flash player has to be able to animate on top of the video rendering, which makes hardware accelerated video rendering at least not as straightforward as with a purpose built multimedia player.[47] It is not uncommon for other multimedia players to play fine where Flash Player drops frames and skips audio.[48]
Many popular web browsers now have extensions that prevent immediate Flash playback, but lets the user play it by clicking it first. Firefox has NoScript and Flashblock while a separate extension for Opera called Flashblock is available. One similar extension for Internet Explorer is Foxie, and contains a number of features, one of which is also named Flashblock. K-Meleon has a built-in Flash blocker. WebKit-based browsers under Mac OS X have ClickToFlash.



Reply to this post
Reply [edit]

Poster: garthus Date: Aug 20, 2009 6:14am
Forum: texts Subject: Re: Greatly useful news re FLASH being a great menace to society as we know it.

Peter,

This is the one to post. Amazing that Pooh and the other developers seemed to know little about this.

Gerry

Reply to this post
Reply [edit]

Poster: Time Traveller Date: Aug 20, 2009 11:37pm
Forum: texts Subject: Re: Greatly useful news re FLASH being a great menace to society as we know it.

Would you believe that Wikipedia used FLASH to turn the on-line article into a printable document?

http://www.archive.org/details/ReasonForArchiveToNotUseFlash

first try, it failed,

still 30-minutes before I finish description. (I always do that afterwards.